{"componentChunkName":"component---src-templates-manual-template-tsx","path":"/manuals/client-user/61/serverauth-cert-cli.html","webpackCompilationHash":"d1750f6cc413894a8b5c","result":{"data":{"promoBlocks":{"edges":[{"node":{"contentful_id":"47glnSpWzXeFylv2vfQEF8","internal":{"type":"ContentfulPromotionBlock"},"title":{"internal":{"type":"ContentfulHeading"},"contentful_id":"7KIOfSfgwJnCXuvRN6CfrP","textContent":"Standing privileges are a risk with PAM","color":"black","size":"medium"},"subTitle":null,"content":{"nodeType":"document","internal":{"content":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"content\":[{\"nodeType\":\"text\",\"value\":\"Start your journey towards a just-in-time (JIT) model with zero standing privileges (ZSP). Read 'Remove Standing Privileges Through a Just-In-Time PAM Approach' by Gartner , courtesy of SSH.COM.\\n \\n\",\"marks\":[],\"data\":{}}],\"data\":{}}]}"}},"callToAction":{"internal":{"type":"ContentfulButton"},"contentful_id":"19EUesynV2Z7HHcuJk0BAS","content":"Download Gartner research","internalLink":null,"externalLink":"https://info.ssh.com/gartner_research_privileged_access_management","assetLink":null,"anchor":null},"picture":{"internal":{"type":"ContentfulAsset"},"contentful_id":"2ClylmBswcfDx4XdO7NTmL","title":"ICON Gartner ZSP","description":"","file":{"url":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png","contentType":"image/png"},"fluid":{"aspectRatio":1,"src":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=3000&q=50","srcSet":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=750&h=750&q=50 750w,\n//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=1500&h=1500&q=50 1500w,\n//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=1601&h=1601&q=50 1601w","sizes":"(max-width: 3000px) 100vw, 3000px"},"fixed":{"width":3000,"height":3000,"src":"//images.ctfassets.net/0lvk5dbamxpi/2ClylmBswcfDx4XdO7NTmL/78e899153ed66aec3b03b9a2cacd112d/ICON_Gartner_ZSP_ICON_Gartner.png?w=3000&q=50","srcSet":""}},"centered":true,"indentMainContent":null,"transparentBackground":null,"imageScale":70,"imagePadding":null,"name":"WIKI migration side promo block2","product":null,"funnel":null,"topic":null,"keywords":null,"type":null,"priority":null,"globalOverride":null}},{"node":{"contentful_id":"6dfNaA1UlY4bADKQk6awhs","internal":{"type":"ContentfulPromotionBlock"},"title":{"internal":{"type":"ContentfulHeading"},"contentful_id":"49Tb2wSR21P5C2cpcgMZ3","textContent":"Get Multi-cloud PAM software - for free!","color":"black","size":"medium"},"subTitle":null,"content":{"nodeType":"document","internal":{"content":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"PrivX® Free replaces your in-house jump hosts and combines your AWS, GCP and Azure access into one multi-cloud solution.\\n \\n\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},"callToAction":{"internal":{"type":"ContentfulButton"},"contentful_id":"1dmQ13jyyZ46ID07eVNVFb","content":"PrivX Free","internalLink":null,"externalLink":"https://info.ssh.com/privx-free-access-management-software","assetLink":null,"anchor":null},"picture":{"internal":{"type":"ContentfulAsset"},"contentful_id":"4UUYdjING8micwZQur5o6d","title":"ICON computer (search)","description":"","file":{"url":"//images.ctfassets.net/0lvk5dbamxpi/4UUYdjING8micwZQur5o6d/1b378a0f4646075c7a4788f1afffbabe/ICON_computer__search_.svg","contentType":"image/svg+xml"},"fluid":{"aspectRatio":null,"src":null,"srcSet":null,"sizes":null},"fixed":{"width":null,"height":null,"src":null,"srcSet":null}},"centered":true,"indentMainContent":null,"transparentBackground":null,"imageScale":70,"imagePadding":null,"name":"WIKI migration side promo block1","product":null,"funnel":null,"topic":null,"keywords":null,"type":null,"priority":null,"globalOverride":null}}]}},"pageContext":{"isCreatedByStatefulCreatePages":false,"body":"
\"SSH\"\"
\"\"
\"\"
\"Home\" \"Prev\" \"Up\" \"Next\"  

Using the Configuration File (Unix)

When configuring the client, it must be set up to trust the CA certificate and \nto access the certificate revocation list (CRL).

To configure the client to trust the server's certificate, perform the \nfollowing tasks:

  1. Copy the CA certificate(s) to the client machine. You can \neither copy the X.509 certificate(s) as such, or you can copy a \nPKCS #7 package including the CA certificate(s).

    Certificates can be extracted from a PKCS #7 package by \nspecifying the -7 flag with ssh-keygen-g3.

  2. Define the CA certificate(s) to be used in host \nauthentication in the ssh-broker-config.xml file under \nthe general element:

    <cert-validation end-point-identity-check=\"yes\" \n                 http-proxy-url=\"http://proxy.example.com:800\">\n  <ldap-server address=\"ldap://ldap.example.com:389\" />\n  <ocsp-responder url=\"http://ocsp.example.com:8090\" validity-period=\"0\" /> \n  <dod-pki enable=\"no\" />\n  <ca-certificate name=\"ssh_ca1\"\n                  file=\"ssh_ca1.crt\"\n                  disable-crls=\"no\"\n                  use-expired-crls=\"100\" />\n</cert-validation>         \n

    The client will only accept \ncertificates issued by the defined CA(s).

    You can disable the use of CRLs by setting the \ndisable-crls attribute of the \nca-certificate element to \"yes\".

    \"[Note]\"Note

    CRL usage should only be disabled for testing purposes. Otherwise it \nis highly recommended to always use CRLs.

    Also define the LDAP server(s) or OCSP responder(s) used for CRL \nchecks. Defining the LDAP server is not necessary if the CA certificate \ncontains a CRL distribution point extension.

  3. If the CA services (OCSP, CRL) are located behind a \nfirewall, define also the SOCKS server in the \nssh-broker-config.xml file. \nThe SOCKS server is defined inside cert-validation with the \nsocks-server-url element.

\"Home\" \"Prev\" \"Up\" \"Next\"  

\n Copyright 2010 SSH Communications Security Corp.
\n This software is protected by international copyright laws. All rights reserved.
Contact Information

","head":"Using the Configuration File (Unix)","url":"/manuals/client-user/61/serverauth-cert-cli.html"}}}